Bug Bounty Hunter exposes glitch in Uber that let users ride for free

By
Siddharth chauhanMarch 6, 2017, 3:29 p.m.

Uber’s security programme awarded Anand with $13,500

Bengaluru-based Anand Prakash, a web applications security expert and a bug bounty hunter discovered a glitch in Uber’s payment system which could have been used to get unlimited rides. The bug has been fixed now by Uber’s security team but the white hat hacker lays it all on his blog.

Anand explains on his blog that anyone could have misused his method which would have borne huge costs to the company. He goes on to demonstrate the bug he found by creating an account on Uber and then booking a ride normally. When the ride gets completed only then Uber asks for the payment through cash or credit/debit cards. However, Anand found out that just by modifying an invalid payment method on dial.uber.com through some backend modifications, he was able to ride Uber for free. By Uber’s consent, he tested the bug out both in the United States and India.

Uber’s security programme awarded Anand with $13,500 for his discovery. Anand has previously identified bugs in various platforms of companies like Facebook, Google, Twitter, Adobe, PayPal among others and has received such bounties in the past as well.

Last year, Anand identified a bug in Facebook’s login interface which allowed hackers to exploit more that 1.6 billion user accounts. But Anand informed Facebook and received $15,000 as a prize through their Bug Bounty Program.